- The advanced software company was sentenced to a fine by ICO for a data violation
- This is the first penalty for a data processor
- Information of more than 79,000 people was endangered
The Bureau of the Commissioner in the United Kingdom (ICO) issued a fine of 3.07 million pounds sterling to the Advanced Computer Group LTD software company following a ransomware attack in 2022 in which NHS data was stolen and systems were encrypted, putting personal information of 79,404 people at risk.
This is the first fine of the ICO given to a data processor, and serves as a “brutal reminder that organizations may become the next target without robust security measures in place,” said the commissioner.
The attack caused disruption to critical services at the time, including NHS 111, and meant that certain health staff were unable to access patient files. Stolen information included patient telephone numbers, medical records and most of the access details for houses of 890 people receiving home care.
Insufficient protections
The ICO survey revealed that Advanced Computer Group LTD has not deployed sufficient technical and organizational measures to maintain fully secure health and cars before the incident, and highlighted the gaps in the deployment of multi-feature authentication, inadequate management of patches and a “lack of complete vulnerability”.
“The security measures of the Advanced subsidiary were seriously below what we expect from an organization dealing with such a large volume of sensitive information,” confirms John Edwards, an information commissioner.
“While Advanced had installed multi-factor authentication in many of its systems, the lack of full coverage meant that the pirates could access, which endangers thousands of sensitive personal information.”
The company was struck by a provisional fine of 6 million pounds sterling in August 2024, but this was reduced after the submission of considerations at ICO, in particular “the proactive commitment of Advanced with the NCSC, the NCA and the NHS in the wake of the attack and other measures taken to mitigate the risk for affected people”.
